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Abstract 

For a secret sharing scheme, two parameters d m i n and d c h eat are 
defined in [12] and [13]. These two parameters measure the error- 
correcting capability and the secret-recovering capability of the se- 
cret sharing scheme against cheaters. Some general properties of the 
parameters have been studied in [12], [9] and [13]. The MDS secret- 
sharing scheme was defined in [13] and it was proved that MDS per- 
fect secret sharing scheme can be constructed for any monotone access 
structure. The famous Shamir (k, n) threshold secret sharing scheme 
is the MDS with d m i n = d c h ea t = n — k + 1. In [3] we proposed 
the linear secret sharing scheme from algebraic-geometric codes. In 
this paper the linear secret sharing scheme from AG-codes on elliptic 
curves is studied and it is shown that many of them are MDS linear 
secret sharing scheme. 
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Index Terms — Secret-sharing scheme, MDS secret sharing scheme, 
AG-code, elliptic curve 

I. Introduction and Preliminaries 

In a secret-sharing scheme among the set of players P = {Pi, ...,P n }, a 
dealer P , not in P, has a secret, the dealer distributes the secret among P 
such that only the qualified subsets of players P can reconstruct the secret 
from their shares. The access structure , T C 2 P , of a secret-sharing scheme 
is the family of the qualified subsets of P. The minimum accesss structure 
minT C 2 P is defined to the be the set of minimal elements in T(here we 
use the natural order relation Si < S2 if and only if Si C S2 on 2 P ). We 
call a secret-sharing scheme a (k, n)-threshold scheme if the access structure 
consists of the subset of at least k elements in the set P, where the number 
of elements in the set P is exactly n, that is, among the n players any subset 
of k or more than k players can reconstruct the secret. The first secrets- 
sharing scheme was given independently by Blakley [2] and Shamir [15] in 
1979, actually they gave threshold secret- sharing scheme. We call a secret- 
sharing scheme perfect if the the unqualified subsets of players to reconstruct 
the secret have no information of the secret. The existence of secret-sharing 
schemes with arbitrary given access structures was proved in [1] and [8]. Let 
K be a finite field, we refer to [4] for the definition of linear secret sharing 
scheme (LSSS) over K (if-LSSS) and its relation with linear error-correcting 
codes. 

For a secret-sharing scheme, we denote the set of all possible shares 
(i>i, ...,v n ) (Here i>j is the share of the player Pj for % — 1, ...,n)by V. Then 
V is a error- correcting code(not necessarily linear), let d min be the mini- 
mum Hamming distance of this error- correcting code V. From the error- 
correcting capability, it is clear that the cheaters can be identified from any 
share (presented by the players) (t>i , ...,f n ) if there are at most [(d m i n — l]/2] 
cheaters. In [12] McEliece and Sarwate proved that d m i n = n — k + 1 for 
Shamir's (k, n)-threshold scheme. K.Okada and K.Kurosawa introduced an- 
ther parameter d c h ea t for general secret-sharing scheme, as the the number 
such that the correct secret value s can be recovered if there are at most 
[{dcheat - l)/2] cheaters (see [13]). It is clear that d min < d cheat . In [13] 
the authors proved d c h ea t = n — maxB £ (2 F -r)\B\, where \B\ is the number 
of the elements in the set B. The secret sharing scheme is called MDS if 
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dmin = d cneat = n — max Be(2 p -r) ■ ^ was also proved in [13] that any mono- 
tone access structure can be realized by a perfect MDS secret scheme. 

The approach of secret-sharing based on error- correcting codes was stud- 
ied in [4], [5], [9], [10], [11] and [12]. It is found that actually Shamir's (k,n)- 
threshold scheme is just the secret-sharing scheme based on the famous Reed- 
Solomon (RS) code. The error-correcting code based secret-sharing scheme 
is defined as follow. Here we suppose C is a linear error- correcting code over 
the finite field GF(q) (where q is a prime power) with code length n + 1 and 
dimension k, i.e., C is a k dimension subspace of GF(q) n+1 The Hamming 
distance d(C) of this error-correcting code C is defined as follows. 

d(C) = min{wt(v) : v G C} 
wt(v) = \{i:v = {v ,V!, ...,v n ),Vi ^ 0}| 

,where wt(v) is called the Hamming weight of v. Let G = (gij)i<i<k,o<j<n be 
the generator matrix of C, i.e., G is a k x (n + 1) matrix in which k rows of 
G is a base of the k dimension subspace C of GF(q) n+1 . Suppose s is a given 
secret value of the dealer P and the secret is shared among P = {Pi, P n }, 
the set of n players . Let gi = (<?n, ...,g kl ) T be the 1st column of G. Chosen 
a random u = (u 1: ...,u k ) E GF(q) k such that s = u r g = T,Uig i0 . We have 
the codeword c = (c , cjv) = uG, it is clear that c = s is the secret, then 
the dealer P gives the i — th player Pj the q as the share of Pj for % = 1, n. 
In this secret-sharing scheme the error-correcting code C is assumed to be 
known to every player and the dealer. For a secret sharing scheme from 
error-correcting codes, suppose that : GF(q) k — ► GF(q) is defined as 
Tj(x) = x r gi, where % — 0, ...,n and g ; is the ?-th column of the generator 
matrix of the code C. In this form we see that the secret sharing scheme is 
an ideal linear secret sharing scheme over GF(q) (GP(g)-LSSS, see [4]). 

We refer the following Lemma to [5], [10] and [11]. 

Lemma 1 (see [5], [8] and [11]). Suppose the dual of C, C 1 - — {v — 
(vo,..,v n ) : Gv = 0} has no codeword of Hamming weight 1. In the above 
secret- sharing scheme based on the error- correcting code C, (p 15 ...,p m ) can 
reconstruct the secret if and only if there is a codewordv = (1, 0, v^, Vi m , ...0) 
in C 1 - such that ^ for at least one j , where 1 < j < m. 
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The secret reconstruction is as follows, since Gv = 0, gi = — SjLjU^.gi,, 
where gh is the h — th column of G for /i = 1, N. Then s = Cq = ug 1 = 
-uEJL lgij = -EJL 

We need recall some basic facts about algebraic-geometric codes. Let 
X be an absolutely irreducible, projective and smooth curve defined over 
GF(q) with genus g, D = {P , •••-?«} be a set of GF(g)-rational points of 
X and G be a GP(g)-rational divisor satisfying supp(G)f]T) = 0. Let 
L(G) = {/ : (f)+G > 0} is the linear space (over GF(q)) of all rational func- 
tions with its divisor not smaller than — G and Q(B) = {uo : (lu) > B} be the 
linear space of all differentials with their divisors not smaller than B. Then 
the functional AG (algebraic-geometric )code Cl(D, G) G GF(q) n+1 and 
residual AG (algebraic-geometric) code Cn(D,G) G GF(q) n+1 are defined. 
C L (D,G) ]s&[n+l,k = dim(L(G)-dim(L(G-~D),d> n+l-deg(G)] code 
over GF(q) and C n (D, G) is a [n+1, k — dim{tt{G - D)) -dim(Q{G)), d > 
deg(G) — 2g + 2] code over GF(q). We know that the functional code is just 
the evaluations of functions in L(G) at the set D and the residual code is 
just the residues of differentials in Q(Gd) at the set D (see [16], [17] and 18]). 

We also know that Cl(D, G) and Cn(D, G) are dual codes. It is known 
that for a differential rj that has poles at P 1: ...P n with residue 1 (there al- 
ways exists such a rj, see[16]) we have Cj^D, G) = C L (D, D — G + (??)), the 
function / corresponds to the differential frj. This means that functional 
codes and residue code are essentially same. 

II. Main Results 

Let X be an absolutely irreducible, projective and smooth curve de- 
fined over GF(q) with genus g, D = {P , ---Pn} be a set of GF(g)-rational 
points of X and G be a GF ((^-rational divisor with degree m satisfying 
supp(G) f|D = 0. We can have a LSSS on the n players P = {Pi, ...,P n } 
from the linear code Cn(D, G), thus we know that the reconstruction of the 
secret is based from its dual code Cl(D, G). For the curve of genus over 
GF(q), we have exactly the same LSSS as Shamir's (k, n)-threshold scheme, 
since the AG-codes over the curve of genus is just the RS codes (see [16], [17] 
and 18]). 

The following Theorem 4 and Corollary 1 are the main results of this 
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paper. 



Theorem 1. For the LSSS over GF(q) from the code Cn(D, G) we have 
m - 2g + 1 < d min < d cheat < m + 1 . 

Proof. From the theory of AG-codes ([12-14]), we know Cf2(D, G) can 
be identified with Cl(D,D — G + [i])). Thus d m i n is the minimum Ham- 
ming weight of Cl(P, D — G + (r/)). We have d min > m — 2g + 1. 

On the other hand any subset of P less than n — m elements is not 
qualified from the fact that the minimum Hamming weight of Cl(D,G) 
is n + 1 — m. From the equality d cheat = n — max Be2 r-r\B\, we have 
dcheat < n — (n — m — 1) —m + 1. The conclusion is proved. 

We need to recall the following result in [14]. 

Theorem 2 (see [14] and [7]). l).Let E be an elliptic curve over GF(q) 
with the group of GF(q) -rational points E(GF(q)) . Then E(GF(q)) is iso- 
morphic to Z ni Z n2 , where n\ is a divisor of q — 1 and n 2 
2) If E is super singular, then E{GF(q)) is either 

a) cyclic; 

b) or Z 2 Zq+i; 

2 

d)or ^+i©^+i. 

For any given elliptic curve E over GF(q) ) let D' = {g , gx, ...g H } be 
a subset of E{GF(q)) of H + 1 non-zero elements, let G = mO {0 is the 
point of the zero element of E(GF(q))). g , ...,gH correspond to the rational 
points Pq,P\, Ph of E{GF(q)). In the construction, we take D = D' and 
P = {Pi, Ph}- We have the following result. 

Theorem 3. a) Let A = {P^, P it } be a subset ofP with t elements, 
B is the element in E(GF(q)) such that the group sum of B and g^,...,^ 
is zero in the group E(GF(q)) . Then A c (Here A c is the set P — A ) is a 
qualified subset for the LSSS from Cfj(D, G) only ift<m and 
1) When t = m, A c is a minimal qualified subset if and only if B = O, the 
zero element of E(GF(q)); 
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2) When t = m — \, A c is a minimal qualified subset if and only if B is not 
in D or B is in the set A. 

b) Any subset ofP of more than n — m + 2 elements is qualified. 

Proof. From the theory of AG-codes, the minimum Hamming weight of 
C L (D, G) is n + 1 — m, thus A c is a qualified subset only if t < m. 

We know that for any t points W\, ...,Wt in E(GF(q)) the divisor W\ + 
... + Wt —tO is linear equivalent to the divisor W — O, where W is the group 
sum of Wi, W t in the group E(GF(q)). {Pj 15 Pi m } c is a qualified subset 
(therefor minimal qualified subset) if there exist a function / e L{G) such 
that /(-PjJ = ... = f(Pi m ) = 0, this means that the divisor P il + ... + P im is 
linearly equivalent to G. The conclusion of a) is proved. 

{P^, P im _ 1 } c is a qualified subset if there exist a function / e 
such that /(PjJ = ••• = f(Pim-i) — 0; this means that the divisor P^ + ... + 
Pi m _ 1 + B' is linearly equivalent to G for some effective divisor B'. It is clear 
that deg(B') = 1 and B' is a GP(g)-rational point in E. Thus B' is just the 
B in the condition. On the other hand we note that B ^ Pq, so B has to be 
in A or a point not in D. The conclusion of a) is proved. 

If A is a subset of P such that \A\ < m — 2, the divisor G — A has its 
degree deg(G — A) > 2. So the corresponding system has no base point. We 
can find a function in L(G — A) such that it is not zero at Po, thus we have 
a codeword in Cl(D, G) which is not zero at P and zero at all points of A. 
This implies that A c is a qualified subset. The conclusion of b) is proved. 

The following Corollary is a direct result of Theorem 3. 

Corollary 1. // there is a subset ofP of H — m + 1 elements which is 
not A c of type 2) as in the above Theorem 3 and do not contain any subset 
of H — m elements of type a) in Theorem 3, then the LSSS in Theorem 1 is 
MDS (perfect) ideal secret sharing scheme. 

Theorem 4. If~D\J{0} is a subgroup of E(GF(q)), then the ideal LSSS 
in Theorem 3 is MDS. 

Proof. We prove that there exist m — 1 distinct elements g ix , ...,g im l in 
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P such that g ix + ... + gi m _ 1 = —go- First we choose 2 elements g^g^ when 
m — 1 is even ( or 3 elements gi 1 ,gi 2 ,gi :i when m — 1 is odd) in the group 
D {J{0} such that g h + g i2 = -g (g^ + g i2 + g ia = -g when m - 1 is odd). 
The other m — 3 (when m — 1 is even, orm-4 when m — 1 is odd) elements 
can be taken to be pairs of elements (g^, —<&•)■ Since D U{0} is group, thus 
the desired points can always be found. 

For this subset A of m — 1 elements in P, if it is qualified we know 
that B in Theorem 3 is Pq, this is a contradiction to Theorem 3. We have 
a subset of P of n — m + 1 elements which is not qualified. This implies 
dcheat < m — 1. From Theorem 1 m — 1 < rf mi „ < d cheat < m — 1, we have 
^min — c^c/ieat = ?7i — 1. The conclusion is proved. 

III. Examples 

Example 1. Let E be the elliptic curve y 2 = x 3 + 5x + A defined over 
GF(7). Then E{GF{7)) is a cyclic group of order 10 with O the point at 
infinity and P = (3,2),^ = (2,6),P 2 = (4,2),P 3 = (0,5) P 4 = (5,0),P 5 = 
(0,2),P 6 = (4,5), P7 = (2, 1),P 8 = (3,5). From an easy computation we 
know that P is a generator of E(GF(7)) and Pj is (i + l)Po (in the group 
operation of E(GF(7)).) We take G = 30, D = {P , P u P 3 , P 5 , P 7 }, then the 
access structure of the ideal GP(7)-LSSS from Cn(D,G) are the following 
subsets of P = {Pi, P 3 , P 5 , P 7 }. 

1) All subsets of P with 3 elements and the set P; 

2) The following 6 subsets of 2 elements {Pi, P 7 }, {Pi, P 3 }, {Pi, P 5 }, {P3, P 5 }, 
{P 3 ,P 7 }, {P 5 ,P 7 } are minimal qualified subsets. 

We can check that every subset of P of 2 elements is qualified so d c h ea t — 3, 
it is easy to see that d min = 2 we conclude that this ideal LSSS is not MDS. 

Example 2. Let E be the elliptic curve y 2 + y = x 3 defined over 
GF(4). This is the Hermitian curve over GP(4), it has 9 rational points 
and E{GF{4)) is isomorphic to Z 3 ®Z 3 . We take G = 30, where O is the 
zero element in the group E{GF(4)). Let P^ be the rational point on E cor- 
responding to in Z 3 Z 3 . D = {P10, P01, .., P22}, P = {P01, ^22}. 
Then the qualified subsets of P are as follows. 

1) The qualified subsets of 4 elements are {P20, P21, PmY-, {-Poi? -P20, -P22} c , 

{-Pll, P\2i -P2o} C - 
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2) The qualified subsets of 5 elements are {Poi, P02Y, {Pu, P22Y, {P12, P2i} c - 

3) The subsets of P of 6 elements and the set P are qualified. 

The subsets in 1) and 2) are the minimal qualified subsets. It is clear 
that d m i n = m — 2g + 1 = 2 and d cne at = 7 — 5 = 2. Thus this ideal LSSS is 
MDS. 

Example 3. Let E be the elliptic curve y 2 + y = x 3 defined over 
GF(q),q = 2 r . This is a super- singular elliptic curve, E(GF(q)) has 2 r + 1 
rational points and is isomorphic to a cyclic group when r is an odd number; 
E(GF(q)) has 2 r + 1 + 2 • 2s rational points and is isomorphic to the product 
of two cyclic groups of order 22+1 when r is an even number. We take 
G = mO, where O is the zero element in the group E(GF(q)). Let D be the 
set of all non-zero rational points and the point Pq be an arbitrary non-zero 
point in D. From Theorem 4, the ideal LSSS over GF(q) is MDS. 

For any fixed r, we can calculate the access structure as in Example 2. 
Now suppose r = 3. Then the access structure can be computed as follows. 

In the case over GF(8), E(GF(8)) has 9 rational points and it is a cyclic 
group of order 9. Let Pj be the rational point on E corresponding to i 
in Z 9 = {0,1, 2, ...,7,8} for i = 1,2..., 8. Let G = 30, where O corre- 
sponds to the zero element in the group E(GF(8)), D = {P 1; ...,Ps} and 
P = {P2, Ps}. Then the access structure of the ideal LSSS from Cn(D, G) 
is as follows. 

1) The minimal qualified subsets of 4 elements are {P 2 , P3, P 4 } C ,{P 3 , P 7 , Ps} c , 
{Pi,P§iP%} c -> {-^5; P&-, P7Y '■ 

2) The minimal qualified subsets of 5 elements are {P2, Ps} c ,{P2, PiY-> {^2, P%Yi 

{p 3 ,p 6 Y,{p A ,p 5 Y,{p A ,p 7 Y,{p 5 ,p 8 Y. 

3) The subsets of P of 6 elements and the set P are qualified. 
IV. Conclusion 

We have proved some sufficient conditions about the MDS ideal linear 
secret-sharing scheme from the AG-codes on elliptic curves, which can be 
thought as a natural generalization of Shamir's (k, n)-threshold scheme(from 
AG-codes on the genus curve, RS codes). From the main results of this 
paper many MDS ideal secret sharing schemes can be constructed. This 
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demonstrates that elliptic curves, perhaps also hyper-elliptic curves, are im- 
portant resource in the theory and practice of secret-sharing. 
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